This is your FTI Folio.

Damage from Data Breaches in the Retail Sector is Diminishing, But Progress is a Mixed Bag

Retail & Consumer Products

December 15, 2015

Retailers were well represented on the list of “The 10 Most Expensive Data Breaches” compiled by Lori Widmer in LifeHealthPro (June 18, 2015). The Hannaford Bros, Target, TJ Maxx, and Home Depot breaches represented a combined estimated cost of $722 million, according to Widmer. As contingent third party losses trickle in and become adjudicated, that number could well climb much higher over time. In addition to direct monetary costs, retailers run the risk of losing customers to competitors and other channels.

In his New York Times article, “A Hacking Epidemic That Hits Few Consumers in the Wallet”, Nathaniel Popper writes that, according to The Nilson Report, criminals made $7.8 billion in fraudulent purchases in 2014, with retailers paying 38% of the cost ($3.0 billion)—that portion which banks did not pay.

As we enter the fall of 2015, retail breaches seem to make fewer headlines, so prevention and detection systems would appear to be working better. But there are still some key areas that should be addressed to improve security, including having up-to-date contingency plans. Fraudulent use of customers’ credit card information is only one of the areas requiring improvement as criminals become more sophisticated. Consequently, retailers and their customers are being exposed to new risks.

Impact of a Data Breach
One way to measure the impact of data breaches on retailers is to look at their per capita costs. This is calculated based on the number of people impacted plus any costs associated with repairing the data breach, including notification, forensics, reputational repair and crisis communication. The $165 per capita cost of data breaches in retail is well below the median cost of $215 per capita for all industry sectors (which is skewed upward by high costs for health and education related breaches), but remains slightly above the cross-industry mean cost of $154 per capita. (Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis.)

However, the $165 cost to retailers in 2015 represents a dramatic increase from a per capita cost of $105 in 2014. The Ponemon study, which included 37 retailers, generally attributes this increase to retailers spending more to address the consequences of data breaches, such as breach escalation, lost business, and post-breach costs. Even though the cost per capita and customer churn for data breaches rose last year, retailers continue to whittle away at many of the blind spots that bedevil companies in every industry sector (which we’ll discuss shortly) but the industry still has a long way to go.

Another way to measure the impact of a data breach is the loss of customers to competitors and other channels. Abnormal customer churn for retailers (after data breaches that compromise personally identifiable information) is still well below customer churn rates in the healthcare, pharmaceutical and financial services sectors. However, between 2014 and 2015 abnormal churn increased appreciably to 2.1% from 1.3%, a 62% increase. So while churn is still a challenge for retailers, it’s not quite as bad as in other industries.